github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2686 from SpiderLabs/v3/dev/issue_2670_a

Browse Source 
Support SecRequestBodyNoFilesLimit
This commit is contained in:
martinhsv 2022-02-25 10:40:53 -05:00 committed by GitHub
commit f5efd9ab8f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 463 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
headers/modsecurity/rules_set_properties.h
View File

@ -368,6 +368,7 @@ class RulesSetProperties {
to->m_argumentsLimit.merge(&from->m_argumentsLimit); to->m_argumentsLimit.merge(&from->m_argumentsLimit);
to->m_requestBodyJsonDepthLimit.merge(&from->m_requestBodyJsonDepthLimit); to->m_requestBodyJsonDepthLimit.merge(&from->m_requestBodyJsonDepthLimit);
to->m_requestBodyLimit.merge(&from->m_requestBodyLimit); to->m_requestBodyLimit.merge(&from->m_requestBodyLimit);
to->m_requestBodyNoFilesLimit.merge(&from->m_requestBodyNoFilesLimit);
to->m_responseBodyLimit.merge(&from->m_responseBodyLimit); to->m_responseBodyLimit.merge(&from->m_responseBodyLimit);
merge_bodylimitaction_value(to->m_requestBodyLimitAction, merge_bodylimitaction_value(to->m_requestBodyLimitAction,

108
src/transaction.cc
View File

@ -804,25 +804,43 @@ int Transaction::processRequestBody() {
*/ */
std::unique_ptr<std::string> a = m_variableRequestHeaders.resolveFirst( std::unique_ptr<std::string> a = m_variableRequestHeaders.resolveFirst(
"Content-Type"); "Content-Type");
bool requestBodyNoFilesLimitExceeded = false;
if ((m_requestBodyType == WWWFormUrlEncoded) ||
(m_requestBodyProcessor == JSONRequestBody) ||
(m_requestBodyProcessor == XMLRequestBody)) {
if ((m_rules->m_requestBodyNoFilesLimit.m_set)
&& (m_requestBody.str().size() > m_rules->m_requestBodyNoFilesLimit.m_value)) {
m_variableReqbodyError.set("1", 0);
m_variableReqbodyErrorMsg.set("Request body excluding files is bigger than the maximum expected.", 0);
m_variableInboundDataError.set("1", m_variableOffset);
ms_dbg(5, "Request body excluding files is bigger than the maximum expected.");
requestBodyNoFilesLimitExceeded = true;
}
}
#ifdef WITH_LIBXML2 #ifdef WITH_LIBXML2
if (m_requestBodyProcessor == XMLRequestBody) { if (m_requestBodyProcessor == XMLRequestBody) {
std::string error; // large size might cause issues in the parsing itself; omit if exceeded
if (m_xml->init() == true) { if (!requestBodyNoFilesLimitExceeded) {
m_xml->processChunk(m_requestBody.str().c_str(), std::string error;
m_requestBody.str().size(), if (m_xml->init() == true) {
&error); m_xml->processChunk(m_requestBody.str().c_str(),
m_xml->complete(&error); m_requestBody.str().size(),
} &error);
if (error.empty() == false) { m_xml->complete(&error);
m_variableReqbodyError.set("1", m_variableOffset); }
m_variableReqbodyErrorMsg.set("XML parsing error: " + error, if (error.empty() == false) {
m_variableOffset); m_variableReqbodyError.set("1", m_variableOffset);
m_variableReqbodyProcessorErrorMsg.set("XML parsing error: " \ m_variableReqbodyErrorMsg.set("XML parsing error: " + error,
+ error, m_variableOffset); m_variableOffset);
m_variableReqbodyProcessorError.set("1", m_variableOffset); m_variableReqbodyProcessorErrorMsg.set("XML parsing error: " \
} else { + error, m_variableOffset);
m_variableReqbodyError.set("0", m_variableOffset); m_variableReqbodyProcessorError.set("1", m_variableOffset);
m_variableReqbodyProcessorError.set("0", m_variableOffset); } else {
m_variableReqbodyError.set("0", m_variableOffset);
m_variableReqbodyProcessorError.set("0", m_variableOffset);
}
} }
#endif #endif
#if WITH_YAJL #if WITH_YAJL
@ -831,26 +849,29 @@ int Transaction::processRequestBody() {
#else #else
if (m_requestBodyProcessor == JSONRequestBody) { if (m_requestBodyProcessor == JSONRequestBody) {
#endif #endif
std::string error; // large size might cause issues in the parsing itself; omit if exceeded
if (m_rules->m_requestBodyJsonDepthLimit.m_set) { if (!requestBodyNoFilesLimitExceeded) {
m_json->setMaxDepth(m_rules->m_requestBodyJsonDepthLimit.m_value); std::string error;
} if (m_rules->m_requestBodyJsonDepthLimit.m_set) {
if (m_json->init() == true) { m_json->setMaxDepth(m_rules->m_requestBodyJsonDepthLimit.m_value);
m_json->processChunk(m_requestBody.str().c_str(), }
m_requestBody.str().size(), if (m_json->init() == true) {
&error); m_json->processChunk(m_requestBody.str().c_str(),
m_json->complete(&error); m_requestBody.str().size(),
} &error);
if (error.empty() == false && m_requestBody.str().size() > 0) { m_json->complete(&error);
m_variableReqbodyError.set("1", m_variableOffset); }
m_variableReqbodyProcessorError.set("1", m_variableOffset); if (error.empty() == false && m_requestBody.str().size() > 0) {
m_variableReqbodyErrorMsg.set("JSON parsing error: " + error, m_variableReqbodyError.set("1", m_variableOffset);
m_variableOffset); m_variableReqbodyProcessorError.set("1", m_variableOffset);
m_variableReqbodyProcessorErrorMsg.set("JSON parsing error: " \ m_variableReqbodyErrorMsg.set("JSON parsing error: " + error,
+ error, m_variableOffset); m_variableOffset);
} else { m_variableReqbodyProcessorErrorMsg.set("JSON parsing error: " \
m_variableReqbodyError.set("0", m_variableOffset); + error, m_variableOffset);
m_variableReqbodyProcessorError.set("0", m_variableOffset); } else {
m_variableReqbodyError.set("0", m_variableOffset);
m_variableReqbodyProcessorError.set("0", m_variableOffset);
}
} }
#endif #endif
#if defined(WITH_LIBXML2) or defined(WITH_YAJL) #if defined(WITH_LIBXML2) or defined(WITH_YAJL)
@ -859,11 +880,13 @@ int Transaction::processRequestBody() {
if (m_requestBodyType == MultiPartRequestBody) { if (m_requestBodyType == MultiPartRequestBody) {
#endif #endif
std::string error; std::string error;
int reqbodyNoFilesLength = 0;
if (a != NULL) { if (a != NULL) {
Multipart m(*a, this); Multipart m(*a, this);
if (m.init(&error) == true) { if (m.init(&error) == true) {
m.process(m_requestBody.str(), &error, m_variableOffset); m.process(m_requestBody.str(), &error, m_variableOffset);
} }
reqbodyNoFilesLength = m.m_reqbody_no_files_length;
m.multipart_complete(&error); m.multipart_complete(&error);
} }
if (error.empty() == false) { if (error.empty() == false) {
@ -873,13 +896,22 @@ int Transaction::processRequestBody() {
m_variableOffset); m_variableOffset);
m_variableReqbodyProcessorErrorMsg.set("Multipart parsing " \ m_variableReqbodyProcessorErrorMsg.set("Multipart parsing " \
"error: " + error, m_variableOffset); "error: " + error, m_variableOffset);
} else if (((m_rules->m_requestBodyNoFilesLimit.m_set)
&& (reqbodyNoFilesLength > m_rules->m_requestBodyNoFilesLimit.m_value))) {
m_variableReqbodyError.set("1", 0);
m_variableReqbodyErrorMsg.set("Request body excluding files is bigger than the maximum expected.", 0);
m_variableInboundDataError.set("1", m_variableOffset);
ms_dbg(5, "Request body excluding files is bigger than the maximum expected.");
} else { } else {
m_variableReqbodyError.set("0", m_variableOffset); m_variableReqbodyError.set("0", m_variableOffset);
m_variableReqbodyProcessorError.set("0", m_variableOffset); m_variableReqbodyProcessorError.set("0", m_variableOffset);
} }
} else if (m_requestBodyType == WWWFormUrlEncoded) { } else if (m_requestBodyType == WWWFormUrlEncoded) {
m_variableOffset++; m_variableOffset++;
extractArguments("POST", m_requestBody.str(), m_variableOffset); // large size might cause issues in the parsing itself; omit if exceeded
if (!requestBodyNoFilesLimitExceeded) {
extractArguments("POST", m_requestBody.str(), m_variableOffset);
}
} else if (m_requestBodyType != UnknownFormat) { } else if (m_requestBodyType != UnknownFormat) {
/** /**
* FIXME: double check to see if that is a valid scenario... * FIXME: double check to see if that is a valid scenario...

392
test/test-cases/regression/config-body_limits.json
View File

@ -386,6 +386,398 @@
"SecResponseBodyLimitAction Reject", "SecResponseBodyLimitAction Reject",
"SecResponseBodyLimit 5" "SecResponseBodyLimit 5"
] ]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - urlencoded, limit exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "41",
"Content-Type": "application/x-www-form-urlencoded"
},
"uri":"/",
"method":"POST",
"body": [
"param1=value1&param2=value2&param3=value3"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"debug_log":"Request body excluding files is bigger than the maximum expected.",
"http_code":400
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 20",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - urlencoded, limit not exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "41",
"Content-Type": "application/x-www-form-urlencoded"
},
"uri":"/",
"method":"POST",
"body": [
"param1=value1&param2=value2&param3=value3"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":200
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 60",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - json, limit exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "41",
"Content-Type": "application/json"
},
"uri":"/",
"method":"POST",
"body": [
"{\"param1\":{\"param2\":\"value2\",\"param3\":\"value3\"}}"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"debug_log":"Request body excluding files is bigger than the maximum expected.",
"http_code":400
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 20",
"SecRule REQUEST_HEADERS:Content-Type \"application/json\" \"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - json, limit not exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "41",
"Content-Type": "application/json"
},
"uri":"/",
"method":"POST",
"body": [
"{\"param1\":{\"param2\":\"value2\",\"param3\":\"value3\"}}"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":200
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 80",
"SecRule REQUEST_HEADERS:Content-Type \"application/json\" \"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - xml, limit exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "77",
"Content-Type": "application/xml"
},
"uri":"/",
"method":"POST",
"body": [
"<?xml version=\"1.0\" encoding=\"UTF-8\"?><aaa><bbb>ccc</bbb><ddd>eee</ddd></aaa>"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"debug_log":"Request body excluding files is bigger than the maximum expected.",
"http_code":400
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 20",
"SecRule REQUEST_HEADERS:Content-Type \"(?:application(?:/soap\\+|/)|text/)xml\" \"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML\"",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - xml, limit not exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "77",
"Content-Type": "application/xml"
},
"uri":"/",
"method":"POST",
"body": [
"<?xml version=\"1.0\" encoding=\"UTF-8\"?><aaa><bbb>ccc</bbb><ddd>eee</ddd></aaa>"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":200
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 90",
"SecRule REQUEST_HEADERS:Content-Type \"(?:application(?:/soap\\+|/)|text/)xml\" \"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML\"",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - multipart, limit exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "77",
"Content-Type": "multipart/form-data; boundary=0000"
},
"uri":"/",
"method":"POST",
"body": [
"--0000",
"Content-Disposition: form-data; name=\"a\"",
"",
"1",
"--0000",
"Content-Disposition: form-data; name=\"b\"; filename=\"c.txt\"",
"",
"2222222222222222222222222222222222222222222222222222222222222222222222",
"--0000--"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"debug_log":"Request body excluding files is bigger than the maximum expected.",
"http_code":400
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 80",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - multipart, limit not exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "77",
"Content-Type": "multipart/form-data; boundary=0000"
},
"uri":"/",
"method":"POST",
"body": [
"--0000",
"Content-Disposition: form-data; name=\"a\"",
"",
"1",
"--0000",
"Content-Disposition: form-data; name=\"b\"; filename=\"c.txt\"",
"",
"2222222222222222222222222222222222222222222222222222222222222222222222",
"--0000--"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":200
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 120",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
} }
] ]